PSA for DropBox ppl: apparently accts hacked (change your passwd!) Update: DB denies?

Hal~9000

macrumors 68020
Original poster
Sep 13, 2014
2,019
1,767
Update: thanks rocknblogger
http://www.cultofmac.com/299528/millions-dropbox-accounts-allegedly-compromised-massive-hack/
Update: A Dropbox spokesperson has confirmed that its service has not been hacked and that the exposed logins were mostly expired and harvested from third-party services. More information below.

An anonymous party has allegedly hacked 6,937,081 Dropbox accounts and gained access to email addresses and passwords in plain text. Hundreds of account emails and passwords have been posted online as proof, with whoever is responsible claiming that more will be shared after receiving Bitcoin donations.

“Dropbox has not been hacked,” said a spokesperson in a statement to Cult of Mac. “These usernames and passwords were unfortunately stolen from other services and used in attempts to log in to Dropbox accounts. We’d previously detected these attacks and the vast majority of the passwords posted have been expired for some time now. All other remaining passwords have been expired as well.”

Dropbox says it’s unclear which third-party services were compromised.

We’re still advising all Dropbox users to immediately change their passwords and enable two-step verification, as some online commenters have noticed suspicious activity like their files being deleted.
Original Post:
http://www.cultofmac.com/299528/millions-dropbox-accounts-allegedly-compromised-massive-hack/
An anonymous party has allegedly hacked 6,937,081 Dropbox accounts and gained access to email addresses and passwords in plain text. Hundreds of account emails and passwords have been posted online as proof, with whoever is responsible claiming that more will be shared after receiving Bitcoin donations.
We’re advising all Dropbox users to immediately change their passwords and enable two-step verification, as some online commenters have already noticed suspicious activity like their files being deleted.

Ironically, Dropbox just recently shared tips on how to protect yourself from phishing and other malware on the web.
The company hasn’t released any information about the hack yet. We’ll update when we hear more.
**** like this makes me want to go off the grid completely :mad:
 
Last edited:

Hal~9000

macrumors 68020
Original poster
Sep 13, 2014
2,019
1,767
And this is why I'm still not sold on the whole cloud idea. Now I've got to go change my passwords
I agree. Why should I store my stuff online versus a hard/flash drive again? So hacker groups have an bigger fish (i.e. huge company with a lot of user sensitive information) to target and find a potential weakness? Already changed my password but man stuff like this pisses me off :mad:

Passwords and emails in plain text? Really Dropbox? :rolleyes:

Of course this doesn't mean all the other cloud companies out there aren't already being hacked as well :adjusts tinfoil hat:

p.s. my apologies dropbox if this report is false
 

Supermallet

macrumors 65816
Sep 19, 2014
1,307
656
Always always always enable two-step verification if a service or website offers it. It can be a bit of a pain but it's worth it for the security.

Also I recommend using a password manager (I use LastPass) to generate randomized passwords unique to each site and service, and then enable two-step verification on your password manager.
 

terraphantm

macrumors 68040
Jun 27, 2009
3,741
557
Pennsylvania
Always always always enable two-step verification if a service or website offers it. It can be a bit of a pain but it's worth it for the security.

Also I recommend using a password manager (I use LastPass) to generate randomized passwords unique to each site and service, and then enable two-step verification on your password manager.
Remembering a randomized password isn't easy. Pass phrases would be better really, but many sites have a limit to the number of characters
 

Altimax98

macrumors 6502
Mar 26, 2012
302
69
Lakeland Fl
I utilize 2 step on every service that offers it. If they do not offer it they get a burner (but strong) password and it's for random crap.
 

Supermallet

macrumors 65816
Sep 19, 2014
1,307
656
That's the other part of the password manager, to autofill all those randomized passwords that it generated. It's even better with iOS 8 because now you can autofill just by using TouchID.

Look into LastPass or PasswordBox or 1Password, services like those. They all have slightly different features and pay models but they're better than coming up with passwords on your own. I personally use LastPass and have two-step authentication setup on it. I use an authenticator program that I keep on a USB to log in on computers so even if someone got my LastPass master password, they'd have to also steal the USB drive I use, find the app, and generate a one-time use code with it in order to access my data. Any attempts to access my passwords without the app will result in garbled, useless data since all of my passwords are encrypted. Same if someone tried to hack LastPass' servers.
 

IrishVixen

macrumors 68020
Jun 20, 2010
2,495
100
Oh FFS. Dealing with this crap is getting old.

And two step authentication doesn't fix stupidity on the corporate end. Plain text?!?! Seriously?!
 

rocknblogger

macrumors 68020
Apr 2, 2011
2,331
466
New Jersey

Supermallet

macrumors 65816
Sep 19, 2014
1,307
656
Oh FFS. Dealing with this crap is getting old.

And two step authentication doesn't fix stupidity on the corporate end. Plain text?!?! Seriously?!
Two-step doesn't fix stupidity on the corporate end, but it does mitigate it.

Let's say my password, although randomized, is on that list. Someone takes that list and uses my login and password.

Dropbox then asks it to authenticate using a code from the authenticator app on my phone (and by the way, I recommend Toopher over Google Authenticator). The person who has the list doesn't have my phone, so they won't be able to access any content on my Dropbox. And if they ask Dropbox to send a text instead, the text goes to my phone and I know I need to change my password since I'm not currently trying to sign in to Dropbox.

The only way this becomes a problem is if A) the person with the list also stole or spoofed my phone (and managed to fake my TouchID or get my phone phrase password--not a PIN) or B) I use the same login and password on other sites without two-factor authentication.

That's where a good password manager comes in. You can ensure that every site has a unique password that can easily be changed to something equally complex very quickly. I changed my Dropbox password within two minutes of making my first post in this thread. It's randomized and now my password manager has that one on file instead of my previous password.

This stuff takes a little time to setup, but once you do, it runs very smoothly. At least the way I implement it.
 

waxlabo

macrumors regular
Sep 21, 2014
124
31
From the look of the password list it doesn't really seem like there was any breach in dropbox database. A lot of these passwords seem easy and any password generator bot would be able to figure it out.
 

urda

Suspended
Jun 15, 2010
258
17
San Francisco Bay Area
If you're not using a password manager to generate UNIQUE passwords for EVERY WEBSITE and you're not using two-factor, you have yourself to blame.

It's 2014, you should be using something like 1Password LastPass.
 
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.